Hi: I agree with your suggestion.
When administrators call the control plane Admin API to manage APISIX resources (for example, adding or modifying them), default values should not be populated. User-entered data should be consistent with the data stored in etcd. However, when the data plane calls `check_schema`, default values are necessary to keep the plugin runtime process simple and efficient (current implementation). regards. On Thu, Sep 11, 2025 at 4:18 PM young <yo...@apache.org> wrote: > Dear Apache APISIX Community, > > Currently, the jwt-auth plugin generates a random value for > `conf.secret` in the `check_schema` function when `conf.algorithm ~= > "RS256" and conf.algorithm ~= "ES256" and not conf.secret`. > > I believe this generation behavior should be removed. > > Here are several reasons: > 1. We should not populate values in `check_schema`. It's best for > `check_schema` to only handle validation. > 2. Modifying the user-provided configuration can easily lead to user > confusion, which is clearly not best practice. > 3. This also affects the diff logic in the adc that the apisix ingress > controller depends on. > > To solve this problem, I will remove the corresponding code and > instead return an error message, requiring users to fill in the > corresponding configuration themselves. > > I’d love to hear the community’s thoughts on this direction. Looking > forward to your feedback and discussion. > > Thanks, > Young, Apache APISIX Committer > -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix
